MULTI-PROFILE INTERFACE SPECIFIC NETWORK SECURITY POLICIES
Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device.
Latest Microsoft Patents:
Computing devices open a gateway for users to the information superhighway by connecting the users to communications networks, such as the Internet. As the Internet environment becomes more complex, this gateway needs to be monitored, controlled, and managed to protect the computing devices and the users. For example, malicious codes, computer viruses, and the like endanger the software and/or hardware of computing devices. The user's personal information, including sensitive financial and identity information, needs to be guarded against intrusions via the communications networks.
Currently, protections such as firewalls, implemented in either hardware or software, manage incoming and outgoing data traffic to and from the computing devices. In addition, separate connection security measures exist so that additional layers of protection may be added. For example, a firewall enables a user to allow or reject connection from a particular computing device. Once the connection is allowed, the user can further set conditions for that connection. For example, the user may elect to encrypt the data transmitted when the connection is active. Alternatively, the user may wish to set an authentication certificate before establishing the connection.
Existing practices separate these two protection mechanisms, and such separation creates management difficulties and redundancy in managing the traffic to and from a user's computing device. For example, the user needs to manage the firewall settings or conditions separately from managing connection security issues. The underlying implementation and code base for each mechanism operate differently, but yet have some overlapping functions. In addition, these mechanisms lack a common language such that the user or developer lacks the ability to query the underlying conditions.
SUMMARYEmbodiments of the invention enhance management of network traffic and communications by defining a common language and/or a common schema for expressing network security rules to handle both firewall rules or settings and connection security settings or preferences. Further aspects of the invention provide flexible incorporation or implementation of the common language/schema in a given group policy. Embodiments of the invention thus beneficially provide a robust and multi-profile interface for controlling and managing network traffic. Alternative aspects of the invention further enable validation, query, importation, export, and other operations on the network security rules using the common language and schema.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Other features will be in part apparent and in part pointed out hereinafter.
Appendix A includes Tables 1 to 17 describing exemplary implementations of embodiments of the invention.
Corresponding reference characters indicate corresponding parts throughout the drawings.
DETAILED DESCRIPTIONAspects of the invention beneficially enhance management and control of network security through the use of network security rules expressed in a common language and schema. Unlike existing practices of separating the management of firewall settings/conditions from connection security settings/conditions or having firewall rules contain limited connection security elements without a coherent schema, embodiments of the invention provide one common language and schema for expressing both firewall settings/conditions and connection security settings/conditions.
Referring now to
The computing device 102 includes a processor 110 for executing computer-executable instructions, and a memory area 112 for storing information and data for the computing device 102 and/or a user 114. The memory area 112 stores information including network security rules 116. Each of the network security rules 116 may include one or more firewall rules 120 and one or more connection security rules 122.
In one example, the network security rules 116 define settings, conditions, procedures for controlling and managing traffic and/or communications over the communications network 108. In this example, the network security rules 116 include the firewall rules 120 which are conditions and settings for controlling incoming and outgoing data transmission to and from the computing device 102 or 104. As an illustration, a firewall rule 120 may specify that an internet connection port 25 132 to be opened for simple mail transfer protocol (SMTP). On the other hand, the connection security rules 122 include settings or conditions for controlling the manner in which an allowed connection should proceed. In another embodiment, connection security rules 122 are used for filtering network traffic based on internet protocol security and the associated authentication sets, suites and cryptographic requirements. Using the example above, while the port 25 132 is being opened for data transmission using SMTP, the computing device 102 may specify that the data should be encrypted using one or more encryption schemes.
In an alternative embodiment, a source 126 supplies or pushes the network security rules 116 to the computing device 102 or 104. For example, the source 126 may be a file, an automated computing software component or another computing device that causes data representing the network security rules 116 to the computing device 102 or 104. In this example, the source 126 may be controlled by an administrator in an enterprise or federated network system. In an alterative embodiment, the source 126 may provide update to the network security rule 116. In yet another alternative embodiment, the network security rules 116 are part of a group policy in which all members in the group will receive and apply the network security rules 116.
As such, as the group policy is pushed or delivered to the computing device 102 or 104 from either the source 126 or, otherwise, the computing device 102 or 104 receives the network security rules 116, interprets the content of the rules based on the common language or schema described herein, and executes the network security rules 116 to efficiently control the traffic or communications according to the included firewall rules and the connection security rules from or to the computing device 102 or 104. By the same token, the computing device 102 or 104 may export or deliver the network security rules 116 to another computing device that is able to interpret the content of the network security rules 116.
Still referring to
Similarly,
Because the firewall rule 202 and the connection security rule 204 use the same common schema and language as described in Tables 1 to 17, embodiments of the invention are scalable and can adequately express the firewall settings/conditions and the connection security settings/conditions. Such common language and schema also enable efficient management of the network security rules. Aspects of the invention further permit complex network security rules be expressed and enable re-usable code to set both firewall and connection security settings/conditions.
In addition,
The data structure 242 further includes a third data field 250 including a default value for the parameter in the first data field 246. In one useful embodiment, the data structure 242 also includes a fourth data field 252 having at least two authentication sets and at least two cryptographic sets. Each of the authentication sets includes a collection of predefined parameters with corresponding predefined restrictions for defining an authentication scheme for the communication between the computing device and the at least one other computing device. Each of the cryptographic sets includes a collection of predefined parameters with corresponding predefined restrictions for defining a cryptographic scheme for the communication between the computing device and the at least one other computing device. It is to be understood that any number of authentication sets or cryptographic sets or any combination thereof may be implemented without departing from the scope of the invention.
Referring now to
Referring Table 1 as an example, the limiting values define the characteristics of the restriction. For instance, for the parameter “Action,” the limiting values for the restrictions of this parameter are “Required: No; Repeatabl: No; Type: Allow, Block, or Bypass.” At 306, the network security rule is executed. At 308, the communications are examined as a function of the network security rule for managing the communications from and to the computing device.
In one embodiment, at least one or more of the following restrictions to each of the one or more defined parameters are specified: required restriction, repeatable restriction, and type of restriction. In an alternative embodiment, at 310, the network security rule is validated by evaluating the parameters and the limiting values for each of the one or more parameters before executing. In a further alternative embodiment, user input is received at 312 via the UI 130 for modifying already defined network security rule or creating new network security rule. In another embodiment, the network security rule including the defined parameters and the specified restrictions is received from the memory area for one of the following: the computing device and the at least one other computing device. The received network security rule may include predetermined parameters with corresponding predefined restrictions.
In a further embodiment, the at least one connection security rule includes authentication sets and cryptographic sets. Each of the authentication sets includes a collection of predefined parameters with corresponding predefined restrictions for defining an authentication scheme for the communication between the computing device and the at least one other computing device. Each of the cryptographic sets includes a collection of predefined parameters with corresponding predefined restrictions for defining a cryptographic scheme for the communication between the computing device and the at least one other computing device. The network security rules may also be queried in response to the user input at 312.
Similarly, the connection security rule section 404 includes one or more interactive operations for controlling connection security issues. For example, the section 404 includes “authentication,” “encryption,” “customize,” “default,” “import/export rules.” An indicator 406 associated with one or more of the operations in sections 402 and 404 denotes there are additional options or dialog windows.
In operation, computing device 102 or 104 executes computer-executable instructions such as those illustrated in the figures to implement aspects of the invention.
The order of execution or performance of the operations in embodiments of the invention illustrated and described herein is not essential, unless otherwise specified. That is, the operations may be performed in any order, unless otherwise specified, and embodiments of the invention may include additional or fewer operations than those disclosed herein. For example, it is contemplated that executing or performing a particular operation before, contemporaneously with, or after another operation is within the scope of aspects of the invention.
Embodiments of the invention may be implemented with computer-executable instructions. The computer-executable instructions may be organized into one or more computer-executable components or modules. Aspects of the invention may be implemented with any number and organization of such components or modules. For example, aspects of the invention are not limited to the specific computer-executable instructions or the specific components or modules illustrated in the figures and described herein. Other embodiments of the invention may include different computer-executable instructions or components having more or less functionality than illustrated and described herein.
When introducing elements of aspects of the invention or the embodiments thereof, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements.
Having described aspects of the invention in detail, it will be apparent that modifications and variations are possible without departing from the scope of aspects of the invention as defined in the appended claims. As various changes could be made in the above constructions, products, and methods without departing from the scope of aspects of the invention, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.
Appendix ATable 1 illustrates an exemplary implementation of a firewall rule schema.
Table 2 illustrates an exemplary implementation of a firewall rule schema contents.
Table 3 illustrates an exemplary implementation of a firewall rule schema validation.
Table 4 illustrates an exemplary implementation of a connection security rule schema.
Table 5 illustrates an exemplary implementation of a connection security rule schema content.
Table 6 illustrates an exemplary implementation of a connection security rule schema validation.
Table 7 illustrates an exemplary implementation of a connection security authentication sets schema.
Table 8 illustrates an exemplary implementation of a connection security authentication sets schema validation.
Table 9 illustrates an exemplary implementation of a connection security authentication suites schema.
Table 10 illustrates an exemplary implementation of a connection security authentication suite methods schema.
Table 11 illustrates an exemplary implementation of a connection security authentication suite methods schema validation.
Table 12 illustrates an exemplary implementation of a connection security phase 1 cryptographic sets schema.
Table 13 illustrates an exemplary implementation of a connection security phase 1 cryptographic sets schema validation.
Table 14 illustrates an exemplary implementation of a connection security phase 1 cryptographic suites schema.
Table 15 illustrates an exemplary implementation of a connection security phase 2 cryptographic sets schema.
Table 16 illustrates an exemplary implementation of a connection security phase 2 cryptographic suites schema.
Table 17 illustrates an exemplary implementation of a connection security phase 2 cryptographic suites schema validation.
Claims
1. A method of controlling network security for a computing device, said method comprising:
- defining one or more parameters included in a network security rule for managing communications between the computing device and at least one other computing device via a data communications network, said network security rule expressing a multi-profile security policy including at least one of the following: a connection security rule and a firewall rule;
- specifying one or more restrictions to each of the one or more parameters, said specified one or more restrictions identifying limiting values for each of the one or more parameters;
- executing the network security rule; and
- examining the communications as a function of the network security rule for managing the communications from and to the computing device.
2. The method of claim 1, wherein specifying one or more restrictions further comprises specifying one or more of the following restrictions to each of the one or more parameters: required restriction, repeatable restriction, and type of restriction.
3. The method of claim 1, further comprising validating the network security rule by evaluating the parameters and the limiting values for each of the one or more parameters before executing.
4. The method of claim 1, further comprising providing the network security rule including the defined parameters and the specified restrictions from a memory area to one of the following: the computing device and the at least one other computing device.
5. The method of claim 1, further comprising receiving the network security rule including the defined parameters and the specified restrictions from the memory area for one of the following: the computing device and the at least one other computing device.
6. The method of claim 1, wherein the at least one connection security rule includes at least two authentication sets and at least two cryptographic sets, said each of the authentication sets including a collection of predefined parameters with corresponding predefined restrictions for defining an authentication scheme for the communication between the computing device and the at least one other computing device, said each of the cryptographic sets including a collection of predefined parameters with corresponding predefined restrictions for defining a cryptographic scheme for the communication between the computing device and the at least one other computing device.
7. The method of claim 1, further comprising defining a set of network security rules in the memory area, wherein the set of the network security rules include predefined parameters with corresponding predefined restrictions.
8. A computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy, said data structure comprising:
- a first data field including data defining a parameter to be applied based on the network security policy, said network security policy defining at least one of the following: a firewall rule and a connection security rule; and
- a second data field including data specifying restrictions of the parameter included in the first data field, wherein the parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed, wherein the network security policy manages communications between a computing device and at least one other computing device.
9. The computer-readable medium of claim 8, further comprising a third data field including a default value for the parameter in the first data field.
10. The computer-readable medium of claim 8, wherein the second data field further including at least one or more of the following restrictions to the parameter: required restriction, repeatable restriction, and type of restriction.
11. The computer-readable medium of claim 8, wherein the network security rule including the first data field and the second data field is provided from a memory area to one of the following: the computing device and the at least one other computing device.
12. The computer-readable medium of claim 8, wherein the network security rule including the first data field and the second data field is received from the memory area for one of the following: the computing device and the at least one other computing device.
13. The computer-readable medium of claim 8, further comprising a fourth data field including at least two authentication sets and at least two cryptographic sets.
14. The computer-readable medium of claim 9, wherein each of the authentication sets including a collection of predefined parameters with corresponding predefined restrictions for defining an authentication scheme for the communication between the computing device and the at least one other computing device, and wherein each of the cryptographic sets including a collection of predefined parameters with corresponding predefined restrictions for defining a cryptographic scheme for the communication between the computing device and the at least one other computing device.
15. A system of controlling network security for a computing device, said system comprising:
- a memory area storing data for one or more network security rules, said each of the network security rules expressing a multi-profile security policy including at one of the following: a connection security rule and a firewall rule;
- a processor configured to execute computer-executable instructions for: defining one or more parameters included in each of the one or more network security rules for managing communications between the computing device and at least one other computing device via a data communications network; specifying one or more restrictions to each of one or more parameters, said specified one or more restrictions identifying limiting values for each of the one or more parameters; executing the network security rules; and examining the communications as a function of the network security rules for managing the communications from and to the computing device.
16. The system of claim 15, wherein the processor is configured to specifying at least one or more of the following restrictions to each of the one or more defined parameters: required restriction, repeatable restriction, and type of restriction.
17. The system of claim 15, wherein the processor is further configured to validate the network security rules by evaluating the parameters and the limiting values for each of the one or more parameters before executing.
18. The system of claim 15, wherein the memory area is configured to receive the network security rules including a set of predefined parameters and corresponding predefined restrictions for one of the following: the computing device and the at least one other computing device.
19. The system of claim 15, further comprising a user interface for enabling a user to interact with the defined parameters and specified restrictions in the network security rules, and the user interface further enables the user to query the network security rules.
20. The system of claim 15, wherein the at least one connection security rule includes at least two authentication sets and at least two cryptographic sets, said each of the authentication sets including a collection of predefined parameters with corresponding predefined restrictions for defining an authentication scheme for the communication between the computing device and the at least one other computing device, said each of the cryptographic sets including a collection of predefined parameters with corresponding predefined restrictions for defining a cryptographic scheme for the communication between the computing device and the at least one other computing device.
Type: Application
Filed: May 9, 2007
Publication Date: Nov 13, 2008
Patent Grant number: 8201234
Applicant: MICROSOFT CORPORATION (Redmond, WA)
Inventors: Gerardo Diaz-Cuellar (Redmond, WA), David Abzarian (Kirkland, WA), Lokesh Srinivas Koppolu (Redmond, WA), Eran Yariv (Redmond, WA)
Application Number: 11/746,478